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Abstract. Convex polyhedral abstractions of logic programs have been found very 
useful in deriving numeric relationships between program arguments in order to 
prove program properties and in other areas such as termination and complexity 
analysis. We present a tool for constructing polyhedral analyses of (constraint) 
logic programs. The aim of the tool is to make available, with a convenient in- 
terface, state-of-the-art techniques for polyhedral analysis such as delayed widen- 
ing, narrowing, "widening up-to", and enhanced automatic selection of widening 
points. The tool is accessible on the web, permits user programs to be uploaded 
and analysed, and is integrated with related program transformations such as size 
abstractions and query-answer transformation. We then report some experiments 
using the tool, showing how it can be conveniently used to analyse transition 
systems arising from models of embedded systems, and an emulator for a PIC mi- 
crocontroller which is used for example in wearable computing systems. We discuss 
issues including scalability, tradeoffs of precision and computation time, and other 
program transformations that can enhance the results of analysis. 

1 Introduction 

Convex polyhedron analysis was first described by Cousot and Halbwachs [22]. It is an 
application of abstract interpretation where the program to be analysed is interpreted 
over the abstract domain of convex polyhedra. 

In logic programs, predicates whose variables range over numbers define numeric re- 
lations. Each n-ary numeric predicate is approximated by an n-dimensional polyhedron 
describing linear relationships between its arguments. For programs whose variables do 
not range over numbers, some abstraction such as a size norm is applied before computing 
a polyhedron approximation. In (constraint) logic programming (CLP), convex polyhe- 
dron analysis has been used as part of termination analysers [26], for time-complexity 
analysis and argument-size analysis [8,9]. 

Our interest lies both in the above application areas and also in analysing programs 
that model transition systems and operational semantics of various kinds, in order to 
discover invariant relations among state variables, or to check whether certain numeric 
relationships ever occur in reachable states. We discuss such applications later in the 
paper. The use of polyhedra for analysis of hardware and software has of course been 
investigated by others (e.g. [24,12,6]); our approach is to define mappings from such 
systems to CLP models, hence transforming the problem to a CLP analysis problem and 
allowing a single tool to analyse many formalisms. 

In this paper we report on a tool, whose aim is to assist in exploring the effectiveness of 
convex polyhedron analysis. The convex polyhedron domain is an example of an infinite- 
height abstract domain, and such domains require some method of ensuring termination of 



the analysis. Typically widening is used for this purpose. Widening introduces a trade-off 
between precision of the approximation and efficiency of the analyser. Different methods 
for improving the precision of widening for the convex polyhedral domain have been 
suggested [23,8,24,28]. The tool allows various options to be selected easily, and the 
results displayed. The tool also incorporates size abstractions and permits both goal- 
independent and goal-dependent analysis, the latter via query-answer transformation. 
Since the tool is intended as an aid to experimentation, a verbose option allows a trace of 
the analysis to be viewed; this is especially useful in understanding where information is 
lost due to widening and the convex hull operation. 

Outline of the Paper. Section 2 will describe the convex polyhedron domain and opera- 
tions required for an analyser for this abstract domain. Section 3 describes the abstract 
domain of convex polyhcdra for CLP programs. Section 4 describes the implementation 
details of our convex polyhedron analyser and a web interface for the analyser. Section 5 
contains experimental results for the analyser. 

2 Convex Polyhedra 

Polyhcdra are geometric representations of linear systems of equalities and inequalities. 
A convex polyhedron is a region of an n-dimensional space that is bounded by a finite set 
of hyperplanes. For not necessarily closed (NNC) convex polyhedra strict inequalities are 
allowed in the representation of the polyhedron. Certain constraint systems cannot easily 
be described using only closed convex polyhedra. Accurate descriptions would require the 
use of open inequalities. 

The set V C M" is a not necessarily closed polyhedron (NNC polyhedron) if either 

- it is the intersection of a finite family of open or closed linear halfspaces of the form 
{x|ax > c} or {x|aa; > c} where K™ is the n-dimensional vector space on real numbers, 
a 6 K" is a non-zero row vector and c £ 1 is a scalar constant and x = (x\, . . . , x n ) 

- n = and V = 

The set of all NNC polyhedra on the vector space R™ is denoted P„. Each polyhedron is 
the set of solutions to a constraint system. 

V d = {x e R n \A lX = h,A 2 x > b 2 ,A 3 x > b 3 } 7 

where Vi G {1, 2, 3}, A { e R m * x M™ and b. t e M mi and mi, m 2 , m 3 g N are the numbers 
of equalities, inequalities and strict inequalities respectively. 

We use C to denote the constraint representation of the polyhedron V: 

V = con(C) 

2.1 Operations on polyhedra 

For a convex polyhedron analysis of a program a few operations on polyhedra are required. 

Intersection The intersection of two polyhcdra V\,Vi £ P n is denoted V\ fl P2, and it 
is the largest NNC polyhedron that is included in both V\ and Vi . 



Convex Hull The convex polyhedral hull of two polyhedra V\,Vi G P n is denoted V\ WP2 , 
and it is the smallest NNC convex polyhedron that contains both V\ and V2 ■ The convex 
hull is an upper approximation of union, since convex polyhedra generally are not closed 
under union. 

Emptiness Given a set of constraints the polyhedral representation of this set may 
be empty if the constraints are not satisfiable. Checking satisfiability of a set of linear 
constraints is decidable. 

Inclusion The convex polyhedron analysis proceeds as a fix point computation. Some 
mechanism of establishing when convergence is reached is needed. This can be achieved by 
checking inclusion between two polyhedra. E.g. for all V\,Vi G P n , V\ — con(C\) entails 
V2 = con{C2) iff Ci C C 2 - This is also decidable. 

Projection The projection operation returns the most precise polyhedron which does 
not depend on a given dimension. Given an n-dimensional polyhedron V, the projection 
V' = proj(P 7 j) 7 will return the most precise polyhedron, V', of dimensions n — 1 that is 
entailed by V excluding its constraints on dimension j. 

3 Convex Polyhedral Domain for Abstract Interpretation 

This section describes how convex polyhedra can serve as an abstract domain for abstract 
interpretation of logic programs. 

3.1 Partial Ordering on Polyhedra 

Polyhedra can be ordered in a partially ordered set where inclusion can be used as the 
ordering ((P„, C)). We can add intersection as the greatest lower bound (\~\), the convex 
polyhedral hull as the least upper bound (|J) and 1" as top element and as the bottom 
element; thus we have a lattice (P„, C, n, W, 0, K"). This property makes convex polyhedra 
a suitable domain for program analysis - in particular for abstract interpretation. The 
lattice is not a complete lattice but completeness is not required for abstract interpretation 
to be applied. 

The polyhedron will provide an abstraction of each program point in the program, 
where the definition of a program point would depend on both the programming language 
and the program analysis. For a logic program the program points would be the predicates 
in that program. 

The abstract domain is the set of mappings (Pred 1— > P) where an n-ary predicate 
p G Pred is mapped to an n-dimcnsional polyhedron V G P n . Inclusion is used as the 
ordering over the mappings. For instance, for the mappings mi and 77J2 the ordering is 

mi C ?tj2 = Vp G Pred, m\{p) C mi{p) 

We can also represent such a mapping as a set of constrained atoms 

p(xi, . . . ,x n ) <— c(xi, ...,x n ) 
where V = con(c(xi, . . . , x n )) for some n-dimensional polyhedron V 



For a finite set of predicates {p\, . . . ,pk} we can represent the mappings as a tuple of 
polyhedra (Pi, . . . ,Vk)- The concretisation function of the mapping m would be defined 

as 

7(m) = {p(h, . . .,t n )\{t 1 , ...,t n ) e m(p)} 

The abstract domain for a program would typically be a tuple of polyhedra, one 
element for each program point. The lattice structure is an extension of the one defined 
above, for example (Pi, P 2 , . . . , Pfc) E (Qi, Qi-, ■ ■ ■ , Qk) iff -Pi Q Qi AP2 C Q 2 A . . . AP k C 
Qk- 



3.2 Widening for Convex Polyhedra 

In the domain of convex polyhedra infinite ascending chains can occur, hence the ascend- 
ing chain condition is not satisfied. For program analysis purposes some mechanism for 
accelerating the fix point computations to convergence may be required to ensure ter- 
mination. The most used mechanism for this is widening [21]. Widening in the convex 
polyhedra domain was defined by Cousot and Halbwachs [22] and refined in Halbwach's 
PhD thesis. This widening operator is generally referred to as the standard widening and 
few attempts have been made to improve the operator itself. Recently Bagnara et al. 
[3] suggested a framework for constructing improved widening operators for the convex 
polyhedral domain. Where the standard widening operator is restricted to only looking 
at the constraint representation of a polyhedron, the new operators can be based on both 
the constraint and the parametric representation. In short, the method allows operators 
that otherwise do not meet the widening operator criteria to be used, while still ensuring 
termination. The resulting widening operator is not guaranteed to be more precise than 
the standard widening but it is never less precise. 



3.3 Concrete and Abstract Semantics for CLP 

This section will describe the semantics of the convex polyhedron analyser. A concrete 
semantics and an abstract semantics will be defined. The concrete semantics is described 
similar to the Tp semantics [29] . The concrete domain will be over the set of all formulas, 
Atom <— Con, where Con is a constraint system. The immediate consequence operator is 
defined as: 



T C P (I) = 



A <— Pi, . . .,B n £ P 
{{Bi <-&),..., (B n <- 

c= 

%— l,...,n 

C ^ false, 

C = project (C, Var(A)) 



C n }} e I 



M c [P] = lfp(T£) 

It is assumed that all built-in constraint predicates are in / (e.g. X<Y :- X < Y G 7). 
We also assume some adequate satisfiability and projection algorithm for constraints 
appearing in the program exists. The set of constrained atoms {(Pi <— C\), . . . , (P„ <— 
C n )} is renamed apart. The domain of the interpretation is the powerset of the set of facts 
of the form p{X\, ...,X n ) <— C, where p is a predicate in P and C is a set of constraints 
over Xi, ...,X n . 



The abstract semantics is denned next. Let Tp be the concrete semantics function, 
then the abstract semantics of the program P is the fix point defined as 



where the convex hull operator is extended to operate on constrained atoms. Clause 
heads are standardised so variables in the heads are renamed consistently and for example 
constants occurring in heads are replaced with a variable and this variable and and its 
constraint is added to the clause body. The domain of the abstract semantics is the 
powerset of the set of facts of the form p(X\, ...,X n ) <— V n , where p is a predicate in P 
and V n is a NNC convex polyhedron. 

3.4 Precision Improvements 

Applying widening in convex polyhedral domain introduces a loss of precision. Different 
strategies have been suggested for minimising the loss of precision. 

Narrowing for Convex Polyhedra Narrowing in the convex polyhedra domain has so 
far been unexplored [3]. It has previously been suggested that narrowing for the convex 
polyhedral domain could produce more precision [8] , but no implementation of narrowing 
has been proposed or experimented with. 

Strictly speaking a narrowing operator must ensure eventual stabilisation according 
to the second requirement of its definition: An operator A : L x L ^ L is a, narrowing 
operator if and only if 

- for all descending chains (l n ) n the sequence {l„)n eventually stabilises 

Quoting Cousot and Cousot in [21]: 

A simple narrowing is obtained by limiting the length of the decreasing iteration 
sequence to some k > 1 (experience shows that k > 1 often brings no significant 
improvement). 

This would indicate that it might be sufficient to look at the first requirement for 
a narrowing operator, and settle for a relatively low number of iterations, ignoring the 
convergence requirement. 

As also suggested in [8] we propose the use of the greatest lower bound (gib) as a 
simple narrowing operator. For polyhedra the gib is the intersection operation. The use 
of the intersection operator is safe, in the sense that it yields a safe approximation of the 
least fix point but it does not guarantee convergence. 

The gib operator, in this case intersection, is applied at each program point, p, to the 
polyhedron derived from the widened fix point computations, P Pv , and the polyhedron 
derived from applying the semantic transfer function / to the program point p. If narrow- 
ing results in a more precise approximation for some program point p, then the narrowing 
procedure must be reiterated to ensure that the most precise approximation is used for 
narrowing of those program points that depends on p: 



t^P . oAtom< — Con 




lp . Z — > 

7|(J) = JWTg(J) 
M p fP] = fp(T|) 



Ppa = "Ppv n /(^pa) otherwise 







Delayed Widening This technique is quite simple. The application of the widening 
operator is delayed for a number of iterations. This will allow the analyser to build a set 
of more explicit constraints to widen on [23] and produce more precise analysis results as 
shown in [8]. 



Widening with thresholds/widening up-to This technique was described for the 
interval domain in [13] and the convex polyhedral domain in [24]. In the interval domain 
variables in a program are abstracted by a tuple [a, b] where a < b indicating a lower and 
upper bound on the values that the abstracted variables can have during execution of the 
program. 

The need for this arose from the fact that narrowing for the interval domain would not 
recover bounds on loop variables if the exit condition for the loop contained disequalitics 
A finite set of threshold values, T, including — oo and +oo arc used to find better approx- 
imations of lower or upper bounds, than simply — oo and +00. Widening with thresholds 
for the interval domain is defined as 



[a,b] V T [a', b'] = [a h b h ] where a; = 

and bh 



a if a' > a 

max{l 6 T\l < a'} otherwise 

f 6 if 6' < 6 

I min{h £ T\h > b'} otherwise 



The set of thresholds may be derived from the analysed program itself [24] or otherwise 
specified by the user. 

We will implement this in the convex polyhedron analyser for constraint logic programs 
described later. We suggest initially to derive the set of widening-up-to constraints, which 
we will call the bounding convex polyhedron, from the analysed program itself. For con- 
straint logic programs, this set can easily be obtained for each predicate in the program, 
by taking the convex hull of the polyhedra derived from intersecting the constraints on 
the built-in arithmetic predicates occurring in each clause body. 

Definition 1 (Clause constraints). The set of clause constraints for a program P is 
defined as: 

A *— Bi, . . . ,B n e. P } 
11 1 hn B lm = linearise(Bi) J J 

where linearise(B) returns the linear approximation of an atom B if B is an built-in 
arithmetic predicate, else the atom B will be unconstrained. 



C(P) = 




Non-linear built-ins, for example the bit wise or-operator can be given a linear approx- 
imation; in this case the expression X is Y \/ Z can be approximated by the constraint 
X < Y + Z. These approximations may not be exact and e.g. the or-operator may not 
occur frequently in CLP programs but it broadens the set of programs the analyser can 



handle. 



Definition 2 (Bounding convex polyhedron). The bounding convex polyhedra for a 
program P is defined as: 



As long as this set of "widen-up-to" constraints remains static each time the widening 
up-to operator is applied, convergence is assured. 



Selecting Widening Points Another way of minimising the loss of precision introduced 
by widening is to find a good set of widening points, W, as small as possible. When W is 
chosen such that every loop in the dependency graph contains at least one element also in 
W, then any chaotic iteration strategy [20, 18] over the system of semantic equations will 
terminate with a safe approximation of lfp(/) [14]. Bourdoncle [14] and Cousot [19] sug- 
gested methods for selecting the set of widening points. Both suggested a method based 
on detecting feedback edges in the dependency graph [2] . The predicate call graph of typ- 
ical logic programs would contain many small strongly connected components, typically 
arising from predicates with direct recusion. For imperative programs and in particu- 
lar programs allowing goto-statements, the dependency graph would contain few large 
strongly connected components. Applying the feedback edge detection to such programs 
may result in a set of widening points much larger than the optimal set. 

We have implemented a simple cut-loop algorithm that for some dependency graphs 
will lead to a smaller set of widening points than the feedback edge detection. 

Input: Dependency graph G — (N,E) 
Output: Widcningpoints W C N 

Begin 

loops = 
for n G N 

traverse(u, [ \ancestors) 

w = 

while loops ^ 
for n G N 

loopCount[n] = \{l\l G loops, n G Z}| 
candidates = {n G N\loopCount[n] = maXj<zN(loopCount[j})} 
select wp G candidates 
loops — loops \ {I G loops\wp G 1} 
W = W U {wp} 




End 



(algorithm continues on the next page) 



traverse^, n ances t ors ) { 
if visited(n,G) then 

if TL £ ^ancestors then 

loop = path from n E n ancestors to head of n ancestors 
loops = loops U loop 
endif 
else 

markVisited(n, G) 
for n s e Succ(n, G) 

traverse(n s , [n|n a „ cestors ]) 

endif 

} 




Fig. 1. Directed Graph with multiple entry nodes, e.g. {6, 7}. 



The algorithm traverses the graph and records the loops found. The first widening 
point selected is the node that is part of the highest number of loops. The set of loops 
that includes this widening point is then eliminated. This procedure continues until all 
loops have been eliminated. Figure 1 shows a graph with a strongly connected component 
having nodes that are part of more than one loop, these being the nodes 1, 2 and 4. 
Additionally the graph has more than one entry node e.g. {6, 7}. Applying the feedback 
edge detection to this graph would result in the set of widening points being either {3,5} 
or {4, 5} depending on which entry node is chosen first. The cutdoop algorithm would 
choose only node 1 as widening point for any node selected as the entry node. 

4 Description of the Analysis Tool 

In this section we describe the analysis tool and the main features of its implementation. 
The polyhedral analysis algorithm itself, specified as the least fix point of the Tp operator 
in Section 3.3 is implemented in Ciao Prolog [15]. The initial implementation was based on 
a method for constructing bottom-up evaluator for logic programs, developed by Codish 
and S0ndergaard [16,17]. The naive bottom up interpreter is a small Prolog program, 
closely implementing the Tp semantics. In each iteration, clause heads whose body can be 
proven from existing facts are asserted as new facts themselves. The program is evaluated 



iteratively until a fix point is reached. A fix point is reached, when no new heads can be 
asserted on some iteration. 

For the convex polyhedron analyser the naive bottom up interpreter is modified so 
each fact is associated with a polyhedron. Thus the predicate "facts" have two arguments, 
an atom of the form p(X\, . . . , X n ) and a set of constraints C over (some of) the variables 
Xi,..., X n . In addition we modified the naive fixpoint iteration to incorporate the well- 
known semi-naive optimisation and decomposition of the single fixpoint computation into 
a sequence of fixpoints for the strongly connected components of the predicate dependency 
graph. 

4.1 The Parma Polyhedra Library 

For handling the polyhedra, we use the Parma Polyhedra Library (PPL) (version 0.9), a 
programming library targeted especially at analysis and verification [7, 5] . The PPL was 
chosen since it implements the operations needed for a convex polyhedron analyser and it 
has interfaces for a variety of programming languages including Ciao Prolog [15]. It is also 
portable, free, well documented and well engineered. In addition it supports operations 
on not necessarily closed polyhedra [4,7]. Development began in 2001 and the library is 
under further development. Other libraries for manipulating polyhedra exist, such as the 
NewPolka library 1 and PolyLib 2 . 

The PPL interface to Ciao Prolog provides "handles" to polyhedra, which are con- 
stants within Prolog code. When passed as arguments to PPL functions they become keys 
giving access to specific polyhedra. The predicate facts described above thus have PPL 
handles as their second arguments instead of sets of constraints. During the analysis the 
Prolog code does not manipulate constraints directly at all, apart from those appearing 
directly in the code of the program to be analysed. 

Web interface The web interface has the following main functions. 

— Browsing and uploading of program from the user's machine. Some prepared examples 
can also be selected. 

— Abstraction of the uploaded program using size-norms (currently term-size and list- 
length norms are available). 

— Selection of options for widening, delayed widening, narrowing (number of narrowing 
iterations), and widening up-to (two variants). 

— Optional provision of widening points. 

— Selection of output information, including a trace of the successive operations during 
the fixpoint computation and narrowing phase, timing information and constraint 
counts (a rough measure of precision) . 

— Query-answer transformation of the uploaded program. This allows for analysis with 
respect to a supplied goal. 

The interface is implemented in PHP and calls the analyser using the script facility 
of Ciao Prolog, allowing a program to be executed from a command line. A scrcenshot of 
the web interface is shown in Figure 2. 

The web interface is available at http : / / wagner . rue . dk/CHA/ 

1 http: //pop-art .inrialpes.fr /people /bjeannet / newpolka/index.html 

2 http://icps.u-strasbg.fr/PolyLib/ 



Convex Hull Analyser for constraint logic programs 
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Program Example: | quicksort.pl z\ Open | Query : | 




Browse... | Upload | f~ Answer-predicates |~~ Builtin-predicates 


Narrowing iterations: 1 None 




j.i i cksjujrt (0, 0j . 

quicksort ' 1 *Xs, S ] par:-' ,Xs,L,Gi, quicksort '1, SL ) , quicksort [G, SG ; , 
append ; SL . 1 +SG, S ] . 

par-.; ,o,o,o: . 

pwrr(X, I*Yk, t ,, I+fJJ : - nhi t.) X,Ys,T.,(!; . 
part^X,l+¥s,l+L,Gj :- par t ( X , ¥s , L , G J . 

appeiKS[0,Y,y] . 

append; l+Xs,,Y, l+2s ) :- append ( Xa, Y , 3 s ) . 


Widening operator: | Standard !H79> _^J 

Widen up-to: I No 

Widen At: | All Points _-J 

Delayed widening: | None 

Detect wideningpoims: | Feedback Edges 

Verbose level: 1 Nnne 

Debugging only - supply wps: 






Browse... | 

Upload | 




Compute Convex Hull Approximation | 






Apply Size Abstraction | ^ List C Term 


Help: r 



Fig. 2. Screenshot of web interface 

5 Experiments 

We describe some ongoing work in analysing CLP models of embedded systems and of a 
small microcontroller. 

5.1 Experiments with Embedded System Designs 

We have experimented with the CHA tool in analysing embedded systems that are (i) 
formally specified as Linear Hybrid Automata (LHA) [1] or (ii) programmed in SIGNAL 
[11]. LHA is a formal specification language while SIGNAL is a programming language 
for reactive systems. Both these languages are extensively used in the embedded systems 
domain, where the systems are reactive and state transition systems. 

In ongoing work, systematic semantic mappings are defined for each of these languages 
to transform the systems in these languages into CLP programs, which are analysed by 
the CHA tool to extract the linear invariants on the system variables. (Note that the CLP 
programs here are not necessarily intended to be executed, though they could be used 
to simulate behaviour in some cases.) We sketch in this section a water-level controller 
specified by an LHA model, taken from [24], and a similar example of a tub-controller 
specified by a SIGNAL program [12]. We also proved properties of an LHA model of the 
Fischer mutual exclusion protocol, also taken from [24] . 

Rather than developing a customized solution algorithm and tool for each formalism, 
our approach provides one single tool which could be employed for extracting linear 
invariants from any formal specification of a state transition system. Further, much of 
mathematics concerned with fixed-point equations is handled in a uniform way within 
the model semantics of CLP; all the user needs to provide is a CLP equivalent of the 
system to be analysed. Of course, a correct translation of each formalism to CLP has 
to be performed, but we believe that this is generally a simpler task than writing a new 
analyser for each formalism. 
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Fig. 3. A Water-level Monitor 



LHA. Informally an LHA is a state transition system, with locations and transitions. In 
locations the variables vary following a linear law respecting an imposed linear invariant 
on such variables, while transitions are triggered by the linear guards. The LHA model 
(quoted from [24]) for the water-level-controller is depicted in Figure 3. Boxes represent 
locations while arrows represent transitions. Each box (location) may contain one or more 
linear conditions over the variables, and constant varying rates of these variables with 
respect to time. The linear conditions are the invariants imposed on the corresponding 
locations. Such a system translates to the following semantically equivalent CLP program. 



10(W1,X1) 
lKWl.Xl) 
12(W1,X1) 
13(W1,X1) 
10(W1,X1) 



- Wl=l. 

- 10(W,_), 

- 1KW.X), 

- 12(W,X) , 

- 13(W,X) , 



W=10, W1=W, X1=0. 
X=2, W1=W, X1=X. 
W=5, W1=W, X1=0. 
X=2, W1=W, X1=X. 



10(W1,X1) 

ii(wi,xi) 

12(W1,X1) 
13(W1,X1) 



- 10(W,X), W1=W+1, WK10, X1=X+1. 

- 11(W,X), W1=W+1, X1=X+1, Xl<2. 

- 12(W,X), Wl=W-2, Wl>5, X1=X+1. 

- 13(W,X), Wl=W-2, X1=X+1, XK2. 



Though the above CLP program specifies the system behaviour faithfully, one can 
only observe the state variables at discrete time points as we model time growing with a 
granularity of 1 time unit. Therefore our analysis is based on this discrete state space. 

The range of the water level is given by the first argument in the predicates 10 to 13. 
By adding extra clauses we can easily project out the constraints on this argument. 

wO(W) :-10(W,_). wl(W) :-ll(W,_). w2(W) :-12(W,_). w3(W) :-13(W,_). 

Computing the model of the above program with these extra projection clauses, we obtain 
the bounds on the water level in each state. 

wO(A) :- -1*A> -10,1*A>=1. wl (A) :- -1*A> -12,1*A>=10. 
w2(A) :- -1*A>= -12,1*A>5. w3(A) :- -1*A>= -5,1*A>1. 

These are the same results reported in [24], where the reachable locations are charac- 
terized by a fixed point equation on the forward collecting semantics of LHA, and the 
abstract interpretation is applied to automatically compute the upper approximation of 
the solution to this fixed point equation. 

We also succeeded in verifying a property of the Fischer mutual exclusion protocol, 
also taken from [24]. In this case, the task is to show under which conditions a critical 
section could be entered by more than one process simultaneously. Space does not permit 
the detailed description of the system and its translation to CLP (please refer to the 
cited paper). The generated constraints on the illegal state 15 were the following (again, 
identical to the constraint derived in [24]). 

15(A,B,C,D) :- 11*A+ -10*B+10*C+ -11*D>=0 , 11*A+ -10*B>=0 , 1*A+ -1*D>=0 , 10*C+ -9*D>=0 , 1*D>=0,-9*A+10*B>=0 . 

From this it can be deduced that the state is unreachable if 9*D > 10*C. The unreacha- 
bility of this state can also be verified in the CHA tool by adding this constraint to the 
initial state. The empty polyhedron is then obtained as the solution to predicate 15. 



SIGNAL. SIGNAL [11] is a programming language for reactive systems, which is very 
popular in implementing mission critical systems. Again the SIGNAL program is system- 
atically translated into a constraint logic program, and is subjected to convex polyhedron 
analysis by CHA tool. The following is the specification of a tub controller (quoted from 
[12]) with a tap (faucet) and a pump in SIGNAL. 

C level := zlevel + faucet - pump 

I faucet := zfaucet + C(l when zlevel <= 4) default (-1 when zfaucet > 0) 
default 0) 

I pump := zpump + (CI when zlevel >= 7) default (-1 when zpump > 0) 
default 0) 

I alarm := (0 >= level) or (level >= 9) 

5 

) 

init zlevel = 1; zfaucet = 0; zpump = 0; zalarm = false 



In the given SIGNAL program, sub-systems level, faucet, pump and alarm are com- 
posed in parallel, where level computes the water-level; faucet computes the opening 
position for the faucet; pump computes the pumping rate of water; and alarm raises an 
alarm when the water-levels exceed the set limits. A CLP translation, modelling the states 
in the associated transition semantics of SIGNAL, is as follows. 



tubsystem : - 

tubsystemStates(0,0, 1) . 

tubsystemStates(A,B,C) :- 
faucetlogic(C,A,F) , 
pumplogic(C,B,G) , 
levelLogic(C,G,F,H) , 
alarmLogic (H, I) , 
tubsystemStates(F,G,H) . 

tubsystemStates (A, B,C) . 



levelLoglc(L,P,T,Ll) :- LI is L+T- 
alarmLoglc(L,0) :- L > 0, L < 9. 
alarmLogic(L, 1) 
alarmLogic (L , 1) 
faucetlogic(L,T,Tl) 
faucetlogic(L,T,Tl) 
faucetlogic(L,T,0) 
pumplogic(L,P,Pl) :- L >= 7, PI is P+l . 
pumplogic(L,P,Pl) :- L < 7, P > 0, PI i 
pumplogic(L,P,0) :- L < 7, P =< 0. 



L =< 0. 
L >= 9. 

L =< 4, Tl 
L > 4, T > 
L > 4, T =< 



T+l. 
Tl i 



Note that in order to analyse the reachable states we need to analyse the calls to the pred- 
icate tubsystemStates starting from the initial call tubsystem, which is made possible 
in the CHA tool by selecting the query answer transformation option. However such an 
initial attempt to prove the invariants was unsuccessful. The constraints were over gen- 
eral and indicated that the alarm could possibly be activated (which in fact it cannot). 
Also the attempts to overcome the problem by transforming the above program, creating 
multiple versions of the predicate tubsystemStates for various cases did not solve the 
problem. The property that the alarm does not go off can be verified by first specialising 
the program with respect to the initial goal; the use of specialisation for model checking 
was described by Leuschel et al. [27]. Though the solution in this case is ad hoc, the fact 
that standard equivalence preserving CLP transformations can be applied to the program 
provides, we argue, further grounds for believing that CLP modelling and analysis of sys- 
tems is a flexible and powerful approach. Further work will aim at a more systematic 
integration of polyhedral analyses and program transformation. 



5.2 Experiments with a model of the PIC microcontroller 

The convex polyhedron analyser has been used to analyse CLP programs derived from 
specialisation of a CLP based emulator for the PIC microcontroller [25] . These programs 
are fairly large as Table 1 shows. Each instruction in the PIC program will generate an 
equivalent predicate in the specialised CLP program. A typical predicate would look as 
shown: 



execute__6(A,B,C,D) :- 

E is A+C, F is E»8, 
E\==0, F\==0, 
G is 24\/l, H is D+l, 
execute__7(E,B,C,H) . 

Each argument of the execute-predicates contains an element of the live machine state 
at that program point. These elements are accumulator, clock, data registers and stack. 
The analysis of the program containing the predicate shown above results in the following 
constraints on the arguments: 1*D>=5,4*B+1*D=45,2*A+ -5*D= -25,1*C=10. 

Scalability The three test case programs have from 200 to 600 clauses. The predicates 
of the largest program have on average 18 arguments. For these test results no improved 
widening techniques were enabled. The tests shows that even larger CLP programs can 
be analysed in just one minute. Timing results were collected on a machine running Linux 
equipped with a 1GHz Pentium III processor and 256MB RAM. 



Program 


No. Clauses 


Size (kb) 


Avg. arity 


Iterations 
to fixpoint 


Analysis 
Time (sec.) 


Compass 


199 


16 


3.5 


158 


6 


Accelerometer 


274 


19 


3.2 


127 


26 


GPS 


631 


94 


18 


209 


70 



Table 1. Analysis time for specialised CLP programs 



Precision Analysing larger programs such as the ones shown in Table 1 produces sets of 
constraints too large to show here. Generally speaking a set containing a higher number 
of constraints also represent a more precise approximation, so we use the number of con- 
straints as a crude measure of precision. The results shown below therefore only lists the 
total number of constraints for the whole program. Different combinations of widening 
techniques have been applied to the same program. The table shows that for the compass 
program the most precise result is obtained combining all the improved widening tech- 
niques. For the accelerometer program narrowing and delayed widening gives no increased 
precision in combination with widening up- to. 

Selection of widening points Precision and efficiency of the analysis can also be 
affected by the choice of widening points; generally, the fewer widening points the better. 
The specialised PIC programs have a dependency graph similar to that of imperative 
programs (few large strongly connected components) rather than that of a more typical 
logic program (many small strongly connected components). Table 3 shows the compass 
program analysed using both the feedback edge detection of widening points and the cut- 
loop algorithm outlined in Section 3.4. Analysing using the smaller set of widening points 
can produce more precise results, though for this example no better approximation can 
be achieved than using all the improved widening techniques. 



Program 


Delayed 
Widening 
(iterations) 


Simple 
Narrowing 
(iterations) 


Widen 
up-to 


Resulting 
Constraints 
(Number of) 


Compass 
Compass 




200 




200 
209 


Compass 






V 


302 


Compass 


10 






354 


Compass 


10 


200 




357 


Compass 


10 




V 


362 


Compass 


10 


200 


V 


363 


Accel. 








420 


Accel. 




300 




420 


Accel. 


10 






420 


Accel. 






V 


426 


Accel. 


10 


300 


V 


426 



Table 2. Improved Widening Techniques 



Delay 


Narrow 


Widen 


Feedback-edge 


Cut-Loop 


Widen 


up-to 


22 V-points 


12 V-points 








200 


200 




200 




209 


209 






V 


295 


302 


10 






340 


354 


10 




V 


355 


357 


10 


200 




357 


362 


10 


200 


V 


363 


363 



Table 3. Feedback-edge results compared to Cut-Loop results 



5.3 Comparison with existing convex polyhedron analyser 

A convex hull analyser for CLP programs was reported in [8, 10] 3 . This analyser was com- 
pared to previous analysers selecting the tricky test cases for comparison. Applying our 
analyser to the same set of test case programs we obtain equally precise approximations. 
Compared to the Benoy and King analyser ours has been extended with a few improved 
widening techniques and program transformation tools. This allows a wider range of pro- 
grams to be analysed using our tool. For instance the following program can be analysed 
with respect to the query exp(_, 10, _) and with a single narrowing operation applied it 
provides both an upper and lower bound on the second argument of exp_/A. 

expCX.Y.Z) :- exp_(X,Y,l,Z) . 

exp_(_X,0,Ac,Ac) . 
exp.CX.Y.Ac.Z) :- 
Y > 0, 

NewAc is X*Ac , 
NewY is Y-l, 
exp_(X,NewY,NewAc,Z) . 

6 Conclusion 

We have developed a convex polyhedron analyser for constraint logic programs. The 
analysis tool has been integrated with program transformation techniques including size 
abstractions and query-answer transformations. The analyser has been extended with 
some improved widening and narrowing techniques. The tool has been made available 
online for convenient experimentation. 

We have applied the analyser to variety of CLP programs, including CLP programs 
automatically derived from partial evaluation and embedded systems modelled in CLP. 
This is ongoing work but the tool has demonstrated its worth in providing the means for 
experimenting with different ways of gaining precision for each case study, and helping 
with understanding (via the "verbose" output) the reasons for imprecision when this 
occurs. 

6.1 Future Work 

A few widening strategies aiming at improving the precision of convex polyhedral analysis 
exist that are not part of our analyser tool. Widening with landmarks [28] shares some 
common traits with widening with thresholds. Where upper or lower bounds would be 
lost using standard widening, they can in some cases be recovered using narrowing. The 
widening with landmarks is a refinement of widening with thresholds, that will produce 
results precise enough that narrowing would not be needed to recover lost bounds. The 
look-ahead widening [23] is a recent method. Two polyhedra are used for abstracting each 
program point; a main and a pilot polyhedron. Widening and subsequent narrowing are 
only performed on the pilot polyhedron. The program is evaluated with respect to the 
main polyhedron, and program points that are not reachable under the main polyhedron 
are ignored. Once the pilot stabilises it is promoted to a main polyhedron and the program 

3 This analyser is also available online through the Ecce specialiser [?] 
http: //www. stups . uni-duesseldorf . de/~asap/ asap-online-demo/mecce .php 



is reevaluated. This technique tries to solve the situations where during a loop a variable 
may be either increasing or decreasing. Widening in this situation may cause a loss of 
both upper and lower bounds. Both widening methods could be included in our tool. 

Automatic program transformations to improve precision are also of great interest in 
future work. In particular, multiple specialisations of one kind or another can preserve 
separate polyhedral approximations which would otherwise be merged by the convex hull 
operation, losing precision. To illustrate this principle, consider McCarthy's 91-function. 



mc91(N,X) 
mc91(N,X) 
maintt.N) 



N > 100, X is N - 10. 
N =< 100, Y is N + 11, mc91(Y,Y2), mc91(Y2,X). 
X =< 100, mc91(X,N) . 



Here we provide a main call where the argument is at most 100, and the result in this case 
is 91 (if the input is an integer). The analyser is not able to deduce this, returning only a 
result that the answer is greater than 90. If we make two versions of the mc91 predicate, one 
(mc91h) handling arguments greater than 100 and the other (mc91l) handling arguments 
at most 100, we obtain the following program. 

mc911(N,Qut) :- N=<100, mc91h(N+ll , X) , mc91h(X,0ut) . 

mc911(N,0ut) :- N=<100, mc91h(N+ll , X) , mc911(X,0ut) . 

mc911(M,Qut) :- N=<100, mc911 (N+ll , X) , mc91h(X,0ut) . 

mc911(N,0ut) :- N=<100, mc911 (N+ll , X) , mc911 (X , Out) . 
mc91h(N,X) :- N > 100, X is N - 10. 

main(X,Y):- X=<100, mc911(X,Y). 

Analysing this program with the query main(X, Y) we obtain the result main_ans (A,B) : - 
A =< 100, B > 90, B =< 91. This is the most precise possible result and indeed there 
is only one integer, namely 91, in the solution for B. (Note that the predicate main_ans is 
generated by the query-answer transformation). 

Such transformations need to be studied more thoroughly; in this case a simple enu- 
meration of the possible calls to the two versions suffices, but this is a naive approach in 
general and would cause the program size to blow up. A semantics-based approach based 
on Winsborough's multiple specialisation technique [30] would work in some case, though 
not in the one above. A "bottom-up" version of the multiple specialisation analysis is a 
possible future investigation. 
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